Shopify Subdomain Takeovers

4 points

2 years ago

Per the tin. Looks like a coordinated "attack" on Shopify customers. Malicious entities are spinning up various fake shops under the "ftp" CNAME that is quite regularly auto-provisioned by various registrars. No validation needed! Google Search Console access included!

Similar (same?) vulnerability was reported to Shopify in 2018 and it's still there: https://medium.com/@thebuckhacker/how-to-do-55-000-subdomain-takeover-in-a-blink-of-an-eye-a94954c3fc75

Whilst I get that it's not necessarily a Shopify's fault that people leave dangling records I'd expect more from a company that offers a no-code solution.

1) https://support.google.com/webmasters/thread/257728643/unknown-person-added-themselves-as-owner-of-my-domain-in-search-console

2) https://support.google.com/webmasters/thread/258587184/subdomain-hacking-and-new-owner

3) https://www.reddit.com/r/shopify/comments/19dd6p6/my_shopify_stores_ftp_has_been_hijacked_any_ideas/

4) https://community.shopify.com/c/shopify-discussions/help-unidentified-person-added-as-owner/m-p/2435684

4 comments